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Abstract 

For a discrete or a continuous source model, we study the problem of key distillation with one 
round rate-limited public communication between two legitimate users. Although, we do not derive new 
bounds on the wiretap secret-key (WSK) capacity for the discrete source model, we study an alternative 
achievability scheme that may be useful for practical application such as quantum key distribution (QKD) 
or physical-layer security, and that conveniently extends known bounds to the case of a continuous 
source model. Specifically, we consider a sequential key-distillation strategy, that implements a rate- 
limited reconciliation step to handle reliability, followed by a privacy amplification step performed with 
extractors to handle secrecy. We prove that such a sequential strategy leads to an optimal key-distillation 
(under the assumption of degraded sources in the case of two-way communication). Furthermore, we 
study under which conditions secrecy and reliability can be treated as independent problems. Finally, 
in the case of one-way rate-limited public communication, we illustrate our results for a binary and a 
Gaussian degraded source model. 

Index Terms 

Wiretap secret-key capacity, sequential key-distillation, reconciliation, privacy amplification 

I. Introduction 

Information-theoretic secret-key agreement protocols [1], [2] draw their strength from a security relying 
on information-theoretic metrics rather than on complexity theory, thereby avoiding the assumption of 
limited computational power for the eavesdropper. In such protocols, two legitimate users (Alice and 
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Bob) and an eavesdropper (Eve) observe the realizations of correlated random variables (RVs), discrete 
or continuous. The legitimate users, who can exchange messages over a public channel, aim at extracting 
a common secret key from their observations. The rules by which the legitimate users compute the 
messages they exchange over the public channel and agree on a key define a key-distillation strategy. 
The maximum number of secret-key bits per observed realization of the RVs is called the wiretap secret- 
key (WSK) capacity [2], [3]. 

Closed-form expressions and bounds for the WSK capacity have been established for a large variety of 
models [1], [2], [3]. However, usual achievability proofs rely on a random binning argument and thus, do 
not always provide direct insight into the design of practical key-distillation strategies. Moreover, such 
proofs handle reliability (the legitimate users must share the same key) and secrecy (the key must be 
unknown to the eavesdropper) jointly, which creates a complex dependence between the public messages 
exchanged and the secret key constructed, and might limit the flexibility of the scheme. 
For practical key-distillation, as in QKD [4], [5] or physical-layer security for wireless channels [6], 
a sequential key-distillation strategy is often used. Such a strategy consists of two steps that handle 
reliability and secrecy successively, instead of jointly. A reconciliation step [7] is first performed, during 
which Alice and Bob communicate over the public channel to agree on a common bit sequence, that 
might not be totally hidden from Eve. Then, a privacy amplification step [8], [9] is performed, during 
which Alice and Bob apply a deterministic function to their shared sequence to generate their common 
secret key, this time completely unknown from Eve.' 

The main benefit of sequential key-distillation strategies is to separate how one deals with reliability 
and secrecy,'^ and thus to provide a perhaps more practical key-distillation design. Indeed, reconciliation 
can be efficiently implemented with LDPC codes [11], [12] and privacy amplification can be performed 
with hash functions or with extractors [8], [9]. While sequential key-distillation is studied in [9], [13], 
in the case of a public channel of unlimited capacity, we focus here on sequential key-distillation with 

'As remarked in [10], when the eavesdropper has access to the messages pubhcly exchanged but not to a RV correlated to 
the legitimate users' ones, a close relation exists between the secret-key capacity and a source coding problem free from any 
secrecy constraint. The principle of sequential key-distillation strategies goes further, since it explicitly breaks down the protocol 
into two parts, one of which being free from any secrecy constraint. We show that this principle is optimal and applicable even 
if the eavesdropper has a RV correlated to the legitimate users' ones, i.e for the WSK capacity. 

^We mean that the key-distillation can be performed by the succession of two protocols, one, free from any secrecy 
constraint, dealing with reliability, and the other dealing with secrecy. A stronger result would be that optimizing both protocols 
independently leads to the best possible key-distillation strategy. In Sections IV-C and V, we prove that this stronger result holds 
in some cases (see Section IV-C for further clarifications). 
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rate-limited public communication to account for realistic constraints (real equipment may have limited 
bandwidth resources, such as in wireless sensor networks). Note that the achievability scheme of [14, 
Theorem 4.1], which only holds for Gaussians sources and when there is no side information at the 
eavesdropper, is very close to the sequential approach that we study, even though their model is different 
in that it deals with a quantized source and unrestricted public communication. Although, we do not 
improve WSK capacity bounds for the discrete source model, we provide an achievability scheme that 
might be easier to translate into practical designs. The main contributions of this work are: 

• an alternative achievability scheme that separates reliability and secrecy by means of a reconciliation 
protocol and a privacy amplification step performed with extractors, which achieves 

(i) the best known bound of the two-way one round rate-limited WSK capacity in the case of degraded 
sources; 

(ii) the one-way rate-limited WSK capacity (it extends [15], in which degraded sources are assumed); 

(iii) the two-way one round rate-limited SK capacity (no side information at the eavesdropper); 
These results extend the bounds for a discrete source model in [3], to the case of a continuous source 
model (the case of the one-way rate-limited WSK capacity is treated in [16], but only for degraded 
sources); 

• the proof that optimizing reconciliation and privacy amplification independently leads to the best 
possible key-distillation strategy for special cases, which is of prior importance to obtain a flexible 
coding scheme; 

• the characterization of the rate-limited reconciliation capacity, which corresponds to the best trade- 
off between the length of the sequence shared by Alice and Bob after reconciliation and the quantity 
of information publicly exchanged; 

• the illustration of the results for binary and Gaussian degraded sources, for which reconciliation and 
privacy amplification can be designed independently in the case of a one-way rate-limited public 
communication. This includes the determination of a closed-form expression of the WSK capacity 
for binary symmetric sources. 

The remainder of the paper is organized as follows. In Section III, we formally introduce the problem 
studied in the paper. In Section IV, we characterize the one round rate-limited reconciliation capacity, and 
we prove that the sequential application of reconciliation and privacy amplification with extractors is an 
optimal key-distillation strategy. We also provide scenarios for which these two phases can be designed 
independently of each other. Finally, in Section V, we illustrate our results in the cases of binary and 
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Gaussian degraded sources for a one-way rate-limited communication. All proofs are gathered in the 
appendices to streamline presentation. 

II. Notation 

Consider p,q gR. We define the following associative and commutative operation p*q = p{l — q) + 
{l—p)q; observe that [0, 1] is closed with respect to We define the integer interval Ip, q}, as the set of 
integers between [p\ and We define as max(0,p). Finally, we note Hi,{-) the binary entropy, 
and {Bc{K), ||.||oo) the set of K-bounded continuous function, where K ^R. 

III. Problem Statement 

As illustrated in Figure 1, a source model for secret-key agreement represents a situation in which 
two legitimate users, Alice and Bob, and one eavesdropper. Eve, observe the realizations of a memo- 
ryless source (MS) {XyZ,pxYz), that can be either discrete (DMS) or continuous (CMS). The three 
components X, Y and Z, are observed by Alice, Bob, and Eve, respectively. The MS is assumed to be 
outside the control of all parties, but its statistics are known. Alice and Bob's objective is to process 
their observations and agree on a key K, about which Eve should have no information. We assume a 
two-way one -round communication between Alice and Bob, that is, we suppose that Alice first sends a 
message to Bob, and that in return Bob sends a message to Alice.^ We also assume that the messages 
are exchanged over an authenticated noiseless public channel with limited rate; in others words. Eve has 
total access to Alice and Bob's messages, but cannot tamper with the messages over the channel. We 
now formally define a key-distillation strategy. 

Definition 1. A (2"^, n, Ri, R2) key-distillation strategy Snfor a source model with MS {XyZ,pxYz) 
consists of 

. a key alphabet K, = [l, 2"-^]]; 

• two alphabets A, B respectively used by Alice and Bob to communicate over the public channel; 

• two encoding functions fo : " A, go : 'x B; 

• two functions Ka : X'"- x B —?- IC, K{, : 3^" x ^ — > IC; 
and operates as follows 

• Alice observes n realizations of the source while Bob observes Y^; 

^One could also suppose that Bob is the one who sends messages, in which case one only needs to exchange the role of X 
and Y in the following. 
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Fig. 1. Source model for secret-key agreement. 



• Alice transmits A = /o(X") subject to H{A) ^ nRi; 

• Bob transmits B = gQ{Y^,A) subject to H{B) ^ ni?2; 

• Alice computes k = KaiX"^, B) while Bob computes k = kii{Y'"', A). 

The performance of a (2"^, n, Ri,R2) key-distillation strategy 5„ is measured in terms of the average 
probability of error between the key k generated by Alice and the key k generated by Bob Pe{Sn) — 
F[K 7^ Er|5„], in terms of the information leakage to the eavesdropper L(5„) = I{K; Z''^AB\Sn), and 
in terms of the uniformity of the key U(5n) = log [2"^] - H{K\Sn). 

Definition 2. A WSK rate R is achievable for a source model if there exists a sequence of (2"^, n, Ri, R2) 
key-distillation strategies {Sn}n>i ■^"^/j that 

lim Pe(5„) = (reliability), 

n— ^-oo 

lim L(5„) = (strong secrecy), 

n— >oo 

lim lJ{Sn) = (strong uniformity). 

n— >oo 

Moreover, the WSK capacity of a source model with MS {XyZ,pxYz) the supremum of achievable 
WSK rates. 

In the following, we also consider situations in which the eavesdropper has access to the public 
messages exchanged by Alice and Bob, but has no side information Z". In such cases, the WSK capacity 
is simply called the secret-key (SK) capacity and is denoted by Csk- 
For convenience, we recall here known results regarding the model. 

Theorem 1 ([3] Theorem 5, Theorem 6). Let {XyZ,pxYz) be a DMS. 
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(a) For Ri, R2 S the two-way one-round WSK capacity satisfies 

Cwsk{Ri, R2) ^ Rwsk{Ri, R2), 
where i?wsK(-Ri, i?2) = max {[I{Y; U) - I{Z; [/)]+ + [I{X- V\U) - I{Z; V\U)]+) subject to 

Ri^ I{X;U\Y), (1) 
R2;^ I{Y;UV\X), (2) 
U ^ X ^ YZ and V ^ YU ^ XZ, 

|A'|+2,|V|^ |3^|. (3) 

(b) For Ri G M^, the one-way WSK capacity is 

Cwsk(-Ri,0) = max(/(y; U\V) - I{Z; U\V)) subject to 

Ri-^ I{X-U\Y), 
V ^ U ^ X ^YZ, 

(4) 

Corollary 2 ([3] Theorem 2, Theorem 4). Let iXy,pxY) be a DMS. 

(a) For Ri, R2 S M^, the two-way SK capacity is 

Csk{Ri,R2) = ina^{I{Y;U) + I{X;V\U)) subject to 

U ^X ^Y, (5) 
V ^YU ^X, (6) 

rate constraints (1), (2), and range constraints (3). 

(b) For Ri £ M"^, the one-way SK capacity is 

Csk(^i, 0) = max (/(F; U)) subject to 
rate constraint (1), Markov condition (5), and range constraint (4). 

For a DMS, in the absence of rate constraint between Alice and Bob, i.e. Ri = +00, [13, Theorem 4.7] 
(see also [9]) states that we can handle reliability and secrecy successively to achieve the WSK capacity 
Cwsk(^IiO), by means of a reconciliation step that deals with reliability, and a privacy amplification 
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Step that deals with secrecy. In the next sections, we extend these results for a rate-limited commu- 
nication between Alice and Bob, i.e. -Ri,i?2 finite, and in addition, we study under which conditions 
secrecy and reUability can be treated as independent problems. Specifically, we study the achievability of 
Rwsk{Ri, R2), Cwsk(-Ri5 0) (Theorem 1) and Csk(^1i R2) (Theorem 2) with a sequential key-distillation 
strategy consisting of a two-way one round reconciliation protocol and a privacy amplification with 
extractors. 

IV. Sequential key-distillation strategy 

In the following, we use the term sequential key-distillation strategy, for a key-distillation strategy 
consisting of the succession of a reconciliation protocol and a privacy amplification with extractors. 

A. Reconciliation 

During the reconciliation phase, Alice and Bob send messages to each other over an authenticated 
public channel with limited rate. Alice and Bob then process their observations to agree on a common 
bit sequence S. At this stage the sequence is not subject to any secrecy constraint. Formally, a two-way 
one round rate-limited reconciliation protocol is defined as follows. 

Definition 3. Let Ri,R2 G M^. A rate-limited reconciliation protocol TZn{Ri, R2), noted IZn for 
convenience, for a source model with MS {Xy ,pxy) consists of 

• an alphabet S =\1, MJ; 

• two alphabets A, B respectively used by Alice and Bob to communicate over the public channel; 

• two encoding functions f : X" A, g : 3^" x A ^ B; 

• two functions rja : X" x B ^ S, r]b ■ y"" x A ^ S; 
and operates as follows 

• Alice observes n realizations of the source X"^ while Bob observes Y"^; 

• Alice transmits A = /(X") subject to H{A) ^ nRi; 

• Bob transmits B = giY'^^A) subject to H{B) ^ ni?2/ 

• Alice computes S = ria{X^, B) while bob computes S = A). 

The reliability performance of a reconciliation protocol is measured in terms of the average probability 
of error Pe(7^n) = F[S ^ S\Tln\- In addition, since the reconciliation protocol, which generates the 
common sequence S, is followed by the privacy amplification step to generate a secret-key, it is desirable 
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to leak as little information as possible over the public channel. As in [13] we define the reconciliation 
rate of a reconciliation protocol as R(7^n) — ^ [H{S\Tln) — H{AB\Tln)] ■ 

Definition 4. For a given (i?i,i?2). ci reconciliation rate R is achievable, if there exists a sequence of 
rate-limited reconciliation protocols {T^n}n>i ■^"^^ ^hat 

lim Pe(7^„) = and lim R(7^„) ^ R. 

n^oo n^oo 

Moreover, the two-way one round rate-limited reconciliation capacity CredRi, R2) of a MS {Xy,pxY) 
is the supremum of achievable reconciliation rates. 

The reconciliation capacity characterizes the best trade-off between the length of the sequence shared 
by Alice and Bob after reconciliation and the quantity of information publicly exchanged. We formally 
prove in Section IV and Section V that in some cases, optimizing reconciliation and privacy amplification 
independently, which implies achieving the reconciliation capacity, leads to the best possible sequential 
key-distillation strategy. 

Proposition 1. Let {Xy,pxY) be a MS. 

(a) For i?i,i?2 S M^, the rate-limited reconciliation capacity CreciRi, R2) 

Crec{Rl, R2) = Csk{Ri, R2)- 

(b) Assume Ri G R"*" and R2 = 0. For a DMS, we tighten the rate constraint (1) and the range 
constraint (4) as follows 

Crec(i?i, 0) = Csk(-Ri, 0) = uuixI(Y; U) subject to 

Ri=I{X;U\Y), (7) 
U ^Y, 

For a CMS, (7) also holds, if the pdf fu\x exists and is in Bc{K), for some K € M. 

Proof: See Appendix A. ■ 

Remark 1. Let R2 e M+, Ri G [H{X\Y), +oo[. For a DMS, C,ec{Ri, R2) = I{X; Y). 

Remark 2. In Proposition 1, the equality in the rate constraint (7) relies on an argument applicable 
to various convex maximization problems: the maximum principle (see Appendix A-A). This argument is 
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also used in Proposition 2. Note that the refinement offered by these equalities is critical to tighten the 
range constraints on U in Propositions 1, 2, as well as to determine the WSK capacity for binary sources 
in Section V-A. 

B. Privacy amplification 

During the privacy amplification phase, Alice and Bob generate their secret key by applying a deter- 
ministic function, on which they publicly agreed ahead of time, to their common sequence S obtained 
after reconciliation. This phase is performed with extractors [17], which are functions that take as input 
a sequence of n arbitrarily distributed bits and output a sequence of k nearly uniformly distributed bits, 
using another input of d truly uniformly distributed bits. The following theorem provides a lower bound 
on the size of the key, on which the legitimate users agree. 

Theorem 3 ([9], [13]). Let S G {0, 1}" be the RV that represents the common sequence shared by Alice 
and Bob, and let E be the RV that represents the total knowledge about S available to Eve. Let e be a 
particular realization of E. 

If Alice and Bob know that Hoa{S\E = e) ^ ^n, for some 7 s]0, 1[, then there exists an extractor 
g : {0, 1}" X {0, l}*^ —7- {0, 1}^ with d ^ nS{n) and k ^ 77,(7 ~^{''^))- Moreover, if Ud is a RV uniformly 
distributed on {0, 1}°' and Alice and Bob choose K = g{S, Ud) as their secret key, then 

H{K\Ud,E = e)^k- 6*{n), with 6*{n) = 2'^/^°^'' {k + V^/logn) . 

Note that, the size d of the uniformly distributed input sequence is negligible, compared to n, so that 
the effect on the rate of public communication is negligible. Moreover, extractors that extract almost the 
entire min-entropy of the input S and require comparatively negligible amount of uniform randomness 
can be efficiently constructed [17]. 

Remark 3. Privacy amplification can also be performed with hash functions, in which case the coun- 
terpart of Theorem 3 is found in [8]. However, the use of hash functions infiicts a penalty, since this 
requires more random bits than extractors. In fact, hash functions must be chosen at random in universal 
families, which requires on the order of n random bits, and translates into a communication rate loss of 
1 bit, (see [8], [13] for further details). 

C. Sequential key-distillation strategy 

In this section, we prove our main result, namely, that the successive combination of reconciliation 
and privacy amplification achieves the best known rates. 
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Theorem 4. Let {XyZ,pxYz) be a MS such that X Y Z. For Ri, R2 e M+, all WSK rates R 
that satisfy 

R < Rwsk{Ri, R2) 
are achievable with sequential key-distillation strategies. 

Proof: See Appendix B-A. ■ 

Remark 4. Note that we assume X ^ Y ^ Z. Common examples for which this hypothesis is valid, are 
sources generated over the degraded broadcast channel, or over channels such that Pxz\Y — Px\yPz\Y' 
as in a wireless context for instance. For two-way communication, the necessity of this hypothesis might 
be an inherent weakness of a scheme that consists of a successive design of reconciliation and privacy 
amplification, rather than a joint design as in [3] (see the proof for more details). Observe, however, 
that for a one-way public communication (Theorem 5), this assumption is not required. 

Theorem 5. Let {XyZ,pxYz) be a MS. For Ri G IR+, all WSK rates R that satisfy 

R < Cwsk(^i, 0) 
are achievable with sequential key-distillation strategies. 

Proof: See Appendix B-B. ■ 

Theorem 6. Let (^Xy,pxY) be a MS. 

(a) For i?i , i?2 G all SK rates R that satisfy 

R < CskIRi, R2) 

are achievable with sequential key -distillation strategies. 

(b) Moreover, reconciliation and privacy amplification can be designed independently. 

Proof: See Appendix B-C. ■ 
Theorem 5 and Theorem 4 state that a sequential key-distillation strategy achieves the best known 
bounds for the WSK capacity. Remark that, as demonstrated in Example 1, achieving the reconciliation 
capacity (Proposition 1), may not lead to an optimal sequential key-distillation, since the RV U that 
achieves Ciec(^i,0) (resp. the RVs U,V that achieve Crec{Ri, R2)) in Proposition 1, might actually 
not achieve Cwsk(^IiO) (resp. iiwsK(^ii ^2))- In other words, reliability and secrecy can be handle 
successively, but cannot necessarily be treated as independent problems. 
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Fig. 2. Example of a binary DMS studied in Example 1 



In contrast, Theorem 6 states much stronger conclusions regarding the SK capacity Csk, since recon- 
ciliation and privacy amplification can be designed independently of each other in all cases. Nevertheless, 
in the next section we prove that for the one-way WSK capacity, reconciliation and privacy amplification 
can be designed independently of each other for binary or Gaussian degraded sources. 

Example 1. Consider the scenario presented in Figure 2, in which X and Y (resp. Y and Z) are 
connected by a Z-channel (resp. a mirrored Z-channel) with parameter p. Assume that Ri ^ H(X\Y) 
so that 

CwsKiRi,R2)=max{IiX;Y)-I{X;Z)), Crec{Ri, R2) = maxI{X;Y). 

Px Px 

One can check that if¥{X = 0) = q, then I{X; Y) = f{a) = Hb{{l - a){l-p)) - (1 - a)Hb{p), and 
I{X;Z)=g{a)^Hb{(l-p){l-a + ap))-aHb{p)-qHb{p{l-p)). Numerically, CwsK(i?i, ^^2) > 
0.23 > 0.22 > CreciRi,R2) — ^(argmaxQ /(a)). Hence, achieving the reconciliation capacity in a 
sequential key-distillation is not optimal here. 

Remark 5. Results similar to Theorems 4, 5, 6, can be obtained by replacing extractors by hash functions. 
However, this incurs a communication rate loss of 1 bit, as mentioned in Section IV-B. 

V. Special Cases 

In this section, we illustrate our results for a one-way rate-limited key-distillation with degraded sources, 
for which X, Y, and Z form a Markov chain. With this assumption, we refine the characterization of the 
WSK capacity and we study sequential key-distillation for binary and Gaussian sources; in these cases, 
we show that reconciliation and privacy amplification can be designed independently. We also briefly 
discuss the performance of vector quantization compared to scalar quantization in the Gaussian case. 

Proposition 2. Let {XyZ,pxYz) be a MS. Assume X ^ Y ^ Z. For Ri £ R+, the one-way WSK 
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Fig. 3. Example of the DMS studied in Section V-A 



capacity is 

CwsK(i?i, 0) = max {I{Y; U) - I{Z; U)) subject to 

Ri = I{X-U\Y), 
U ^ X ^ Z, 
\U\^ \X\foraDMS. 
For a CMS, a similar result holds under the same condition as in Proposition 1. 

Proof: See Appendix C. ■ 

Remark 6. The expression of the WSK capacity in Proposition 2 is obtained from Theorem Lb and is 
due to Watanabe [16]. We refine this result by proving that equality holds in the rate constraint and 
by improving the range constraint of U; this refinement is critical for the analysis of binary sources, 
especially to solve the optimization problem for the WSK capacity in Proposition 3. 

Remark 7. For degraded sources, and in absence of rate constraint, i.e. Ri = +oo, one easily shows in 
Theorem 4.7 of [13] that reconciliation and privacy amplification can be designed independently if and 
only if I(X;Y) and I{X;Z) are maximized by the same distribution px-^ However, in Proposition 2, 
we can show, using [19, Proposition 2.1 [, that having I(Y;U) and I{Z;U) maximized by the same 
distribution is not sufficient, nor necessary to obtain independent reconciliation and privacy amplification. 

A. Binary source 

As depicted in Figure 3, assume that X has a BernouUi distribution with parameter ^, and that 
X — y — Z forms a Markov chain. The alphabet X is binary, but no assumption is made on y and Z. 

*Foi a DMC, it is for instance the case when the channels {X,pY\x,y) and {X ,pz\x, Z) are weakly symmetric [18]. 
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Proposition 3. Let Ri £ M*^. If the channel Py\x '^^^ Pz\x symmetric [20], then the auxiliary RV 
U achieving CwskI-Ri^O) in Proposition 2, is such that the test-channel pu\x ^ BSC with parameter 
Po, with /3o, any of the two symmetric solutions of 

Ri = I{U;X)-I{U;Y). 

Proof: See Appendix D. ■ 

Corollary 7. Let Ri G M*^. If the channel Py\x '^^^ Pz\x symmetric, then by Proposition 3, the 
auxiliary RV U achieving Crec(^i,0) in Proposition I also achieves Cwsk(-Ri,0) in Proposition 2. 
Hence, by Propositions I, 2 and Theorem 5, reconciliation and privacy amplification can be designed 
independently. 

Example 2. As depicted in Figure 4, assume that X has a Bernoulli distribution with parameter ^, and 
that X and Y (respectively Y and Z) are connected by a binary symmetric channel (BSC) with crossover 
probability p (respectively q). By Proposition 3, the reconciliation capacity is 

l-Hb{p*Po), ifRi^H{X\Y), 
1-Hkip), ifRi^H{X\Y), 



a,c{Ri,0) 
and the WSK capacity is 

Cwsk(-Ri, 0) 



' Hb{p*l3o*q)-Hb{p*(3o), ifRi^H{X\Y), 



Hbip^q) - Hb{p), ifRi ^ HiX\Y), 

with /3o, any of the two symmetric solutions of the equation H}j{p-k /3o) — i^f,(/3o) = -Ri- 

Figure 6 (resp. Figure 5) shows that the reconciliation capacity Crec(^i,0) (resp. the secret key- 
capacity Cwsk(-Ri5 0)j is monotonically increasing in the communication rate constraint Ri. As soon as 
Ri is at least H{X\Y), it attains the same maximum I{X; Y) (resp. I{X; Y) — I{X; Z)) as in the case 
Ri = +00. 
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Fig. 5. Reconciliation capacity Crcc(-Ri,0). 



Fig. 6. WSK capacity Cwsk(7?i, 0) (g = 0.2). 




Fig. 7. Example of the DMS studied in Example 2 



Corollary 7 states that choosing a test-channel Pu\x '^^ ^ BSC with parameter (Sq, achieves CredRi, 0) 
and Cwsk(-Ri5 0), so that reconciliation and privacy amplification can be designed independently. Con- 
sequently, for any other channel Pz\Y' long as pz\x stays symmetric, the reconciliation capacity and 
the optimal reconciliation protocol for sequential key-distillation remains the same. It is for instance the 
case if we choose Pz\Y ^ binary erasure channel (BEC), as depicted in Figure 7. Moreover, in this 
case. Proposition 3 still allows us to determine the WSK capacity: 



^{erasure) f jj „n 
^WSK 1^1) Uj 



e{l-H,{p^l3o)), ifRi^H{X\Y), 
e{l-Hb{p)), ifRi-^H{X\Y), 
where e is the erasure probability characterizing Pz\Y- 

B. Gaussian sources 

Let X, Y, and Z be zero-mean correlated Gaussian sources on R. Assume that Alice, Bob, and Eve 
know the covariance matrix of {X,Y, Z). 
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Fig. 8. Reconciliation capacity C,cc(i?i,0) for different Fig. 9. WSK capacity Cwsk(-Ri, 0), for different correlation 
correlation coefficients pxY- coefficients pxY {pxz — 0.1, pvz = 0.4). 



Proposition 4. The auxiliary RV U achieving Crec(-Ri,0) in Proposition 1 is Gaussian. Moreover, the 
reconciliation capacity is 

aec{Rl,0) = ^log2 

where pxY the correlation coefficient between X and Y. 

Proof: The result is deduced from Proposition 5 and Proposition 1. ■ 

Proposition 5 ([16]). The auxiliary RV U achieving Cwsk{Ri,0) in Proposition 2 is Gaussian. Moreover, 
the WSK capacity is 

Cwsk(-Ri,0) = ^log2 

As illustrated in Figure 8 (resp. Figure 9) the reconciliation capacity (resp. the WSK capacity) does 
not reach I{X;Y) (resp. I{X;Y) — I{X;Z)) when Ri exceed a certain value. As mentioned in [16] 
and Remark 1, unlike the case of discrete random variables, Crec(^i,0) (resp. CwskI^IjO)) can only 
approach I{X; Y) (resp. I{X; Y) — I{X; Z)) asymptotically. Nevertheless, we show in the next section 
a continuous counterpart of Remark 1. 

Proposition 4 and Proposition 5 state that both arguments of the maximum for the auxiliary RV U, in 
Proposition 1 and in Proposition 2, are Gaussian and satisfy the same constraint I{X; U) — I{Y; U) = Ri. 
Since this equation has only one solution, we deduce by Propositions 1 , 2 and Theorem 5 that for Gaussian 



1- {pXYe-^') 



(1 - - Pxz) - jpXY - PYZpxzf e ' 

(1 - - Pxz) - (pXY - PYZpxzf 
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sources, achieving the reconciUation capacity in a sequential key-distillation leads to an optimal key- 
distillation. 

C. Practical considerations 

The achievability scheme of Proposition 2 is based on Wyner-Ziv coding. For a practical implemen- 
tation, additional structure needs to be introduced, for instance with vector quantization. Since scalar 
quantization is the simplest and often the most computationally efficient type of quantization, it is natural 
to ask how scalar quantization performs compared to vector quantization. We answer this question for 
the Gaussian case presented in Section V-B. 

Proposition 6. Let n G Z and A > 0. Define U = Xq a uniformly quantized version of X as follows: 
Pu\Y{un\y) = Px\Y(tn\y)^, Pu{un) = px{tn)^, where tn = A/2 + (n - 1)A. 
If A is small enough, then 

\I{X;Y)-I{Y;U)\i^ [ai?i + /3]e-^^^ + i^/R^e^W^I^)-^'^)] , 
where Ri is the communication rate constraint, and a, P, K are some constants. 

Proof: See Appendix E. ■ 

Remark 8. The proof of Proposition 6 develops a technique that can be applied to other types of distri- 
butions (not necessarily Gaussian), as long as their pdfs exist and verify certain decreasing properties. 

Proposition 6 gives a continuous counterpart of Remark 1. Indeed, if Ri > h{X\Y), then we can 
quantize X finely enough, and Proposition 6 states that I{Y; U) approaches I{X; Y) exponentially fast 
as Ri increases. 

Hence, vector quantization does not offer significant improvement compared to scalar quantization, 
when the communication rate is above h{X\Y). Note that, in practice we can optimize the scalar 
quantization, so that the loss could be even smaller than predicted by Proposition 6. Figure 10 illustrates 
this point by comparing the reconciliation capacity with numerical values of achievable rates obtained 
when X is scalar-quantized.^ Nevertheless, for low communication rates. Figure 10 shows that vector 

^We have increased the number of interval of quantization of X from 2 to 15 and chosen their bounds by a standard gradient 
method to maximize I{Xq; Y). 
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quantization improves the performance; in this case, we could implement, for instance, trellis coded 
vector quantization (TCVQ) [21]. 

0.6 
0.5 
0.4 
I 0.3 

0.2 
0.1 


0.5 1 1.5 2 2.5 3 

R, [bits] 

Fig. 10. Reconciliation capacity obtain with scalar quantization of X with pxv = 0.75, h{X\Y) ~ 1. 

VI. Concluding remarks 

We have extended the best known bounds of the WSK capacity for a discrete source model to the case 
of a continuous source model. For a discrete or continuous source model, we have proved that the best 
known bounds for the one-way WSK capacity with rate-limited public communication, are achievable 
by a sequential strategy that separates reliability and secrecy thanks to a reconciliation step followed 
by a privacy amplification step with extractors; in the case of two-way communication, the sequential 
design seems to suffer a loss of performance compared to the joint design and similar secret key rates 
were only established for degraded sources or when there is no side information at the eavesdropper (SK 
capacity). Moreover, we have demonstrated that reconciliation and privacy amplification can be designed 
independently for some scenarios, including the cases of binary and Gaussian degraded sources with 
one-way rate-limited public communication. A strength of sequential key-distillation is to easily translate 
into practical designs. Even more interestingly, the proposed scheme can be made very flexible with the 
following modifications. 

1 ) Rate-compatible reconciliation: we can adapt to the characteristics of the legitimate users by the use 
of rate-compatible LDPC codes, to perform the reconciliation phase, as demonstrated in [22], [23]. Note, 
however, that vector quantization might be required, which could complexify the reconciliation phase. 
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2) Rate-compatible privacy amplification: In Section IV-B, we have mentioned the possible use of 
hash functions, if we can afford a communication rate loss of 1 bit. In the latter case, we have access to 
privacy amplification methods easily adjustable to the characteristics of the eavesdropper's observations, 
if we make k vary in the following universal family of hash functions Ti = {GF(2") — )• {0,1}'^,2; i— )• 
{k bits of the product xy)\y G GF(2")}, where the k bits are fixed but their position can be chosen 
arbitrarily [24]. 

Appendix A 
Proof of Proposition 1 

A. One-way communication 

We first show the result for Ri G M"*" and R2 = 0. The achievability and converse proof can be found 
in [15], it remains to prove that equality holds in the rate constraint (1) and that \U\^ \X\. 
1 ) Equality constraint: We start with the following lemma. 

Lemma 1. f{U) = I{Y; U) and fi(U) = I{X; U\Y) are convex in pu\x- 

Proof: Let A G [0, 1], let Ui, U2 defined by Pui\x PU2\x respectively, be s.t. Ui ^ X ^ Y and 
U2^X ^Y. 

We introduce the random variable Q G {1,2} independent of all others and set U = Uq. 

1 with probability A, 

2 with probability 1 — A. 



Q={ 



I{Y-U)i^I{Y-UQ) 

= I{Y;Q) + I{Y;U\Q) 
= I{Y;U\Q) 

= \I{Y-Ui) + {I - \)I{Y-U2), 
where (a) holds since Y and Q are independent. 

I{X-U\Y) ^ I{X;UQ\Y) 

= I{X-Q\Y)+I{X-U\YQ) 
^^I{X;U\YQ) 

= A(/(X; U,\Y) + (1 - X)iI{X; U2\Y), 
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where (b) holds because H{X\YQ) = H{X\Y), since Q and (X,Y) are independent. ■ 

(a) Discrete case 

By Lemma 1, f{U) and fi{U) are convex in pjj^x- Define A = {u G rI^H'^I : e [1, \U\j x 
II, l-^IL EL=i Ukj = 1, Uij ^ 0}, and C ^ {u e A : /i(u) ^ Rp}. 
We first show that C is convex compact, with extreme points in {u G A : /i(u) = Rp}: 

• C is the preimage of [0,iip] by the continuous function /i, thus C is closed. We deduce that C 
is compact, since C C [O,!]!"!!-^! and [0, is compact. 

• C is convex by convexity of /i, since the sublevels of a convex function are convex sets. 

• Let ui G C s.t. /i(ui) = Rp — 6, with 5 > 0. By continuity of fi, 3eo, Vu G ;B(ui, eo), |/i(u) — 
/i(ui)|< 6. Let uo G i3(ui,eo)\{ui}, A G {-5,+^} and ua = Auq + (1 - A)ui. 

Then ||ua— Ui||= ||A(uo— Ui)||^ |A|eo, which means ua G C. Hence, 5Ua=+i/2+^Ua=-i/2 = Ui, 
and we conclude that ui is not an extreme point. Hence, the set of extreme points of C is a 
subset of {u G A : /i(u) = Rp}. 
Since / is continuous, it reaches a maximum Umax on the compact C. Then, since / is convex and C is 
a convex compact, by the Krein-Milman Theorem^, Umax is a convex linear combination of extreme 
points of C (existence of such extreme points comes directly from the Krein-Miknan theorem, since 
C / ). Hence, Umax = ELi ^kUk, with X]fc=i Afe = 1 , Ai, A2, . . . , An ^ and ui, U2, . . . , u„ 
extreme points of C. By convexity of /, 

n n 

fi^max) ^ ^ Ajt/(Ufc) ^ ^ Afc/(Umaa;) = f{»max), 
k=l k=l 

thus 

n 

^\{f{nmax) - f{Uk)) = 0, 

k=l 

which means that there exists i G ll,n} s.t f{umax) = /(uj). We conclude that Umax is an extreme 
point of C. This result is known as the maximum principle [25]. 

(b) Continuous case 

If the probability density functions (pdf) fij\x and fv\YU exist and are in {Bc{K), ||.||oo)> the set 
of K-bounded continuous function, where ii' G M, then we proceed as in the discrete case by 
using the theorem in [26] instead of Krein-Milman Theorem, since Bc{K) has the positive binary 
intersection [27]. 

* A compact convex subset of a locally convex topological vector space is the closed convex hull of the set of its extreme 
points. Actually, only a weaker version is used since a finite dimensional space is considered. 
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2) Cardinality bound This result is a special case of a more general one that we prove in 

Appendix C-B. 

B. Two-way communication 
Let Ri,R2 G M+. 

1) Converse: We first establish the rate constraints on Ri and i?2- We have 

nRi ^ H{A) 

^^n[I{A-Xj\U)-I{A-Yj\U)] 
^^n[I{U-Xj)-I{U-Yj)] 

^^nI{U-Xj\Yj) (8) 

where (a) holds by [28, Lemma 4.1], if we set U = X'^-^Yf_^^J and J is a RV uniformly distributed on 
[1, nj, independent of all previous RVs, (b) holds if we set U = AU, since Xj and U are independent, 
and (c) holds since U — Xj — Yj forms a Makov chain. Similarly, we have 

nR2 ^ H{B\A) 

id) 

^ H{B\X'^) + H{S\S) - n6{e) 

^ I{S] B\X'') + H{S\BX'') - n6{e) 

= H{S\X'') - n5{e) (9) 
= H{S\A) - I{S; - n6{e) 

= I{S; y"| A) - I{S; - nS{e) 

n[IiV; Yj\U) - I{V; Xj\U)] - nS{e) 

nI{UV;Yj\Xj)-n6{e), 

where (d) holds because ^4 is a function of X" and by Fano's inequality, since for any e > 0, there 
exists a reconciliation protocol such that F{S ^ S) ^ <^(s)'^ (c) holds since S = rja{X'^,B), (f) holds 
since S = rj}j{Y'^,A), (g) holds by [28, Lemma 4.1] and if we set V = S, finally (h) holds since 

5{e) denotes a function of e such that lim£_^o 5(e) — 0. 
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V YjU ^ Xj undU ^ Xj ^ Yj. 

We now determine the reconciliation capacity bound. 

n 

I{S;X^) = Y,nS;X,\X^-') 

1=1 

n 

i=l 
n 

^Y.I{SX'-'y:1,;X,) 
1=1 

n 

= n^F{J = i)I{SX-'-'Yy^,;Xj\J = i) 
1=1 

= nI{SU;Xj\J) 

^nI{VU;Xj), (10) 
where (a) holds because the Xj's are i.i.d.. Then, 

H{S) - H{AB) = 7(5; X") + 7r(5|X") - H{A) - H{B\A) 

{b) 

^ nI{VU; Xj)- H{A) + n5{e) 

n[I{VU; Xj) - I{U- Xj\Yj) + 8{e)] 
= n[I{Xj- Yj) - I{Xj- Yj\UV) + 6{e)\, 

where (b) holds by (10) and since H{S\X'^) ^ H{B\A) + n6{e) by (9), and (c) holds by (8). 
For a DMS, standard techniques [28] show that \X\+2 and |V|^ \y\. 

2) Achievability: The proof for a DMS is similar to Wyner-Ziv coding [29], we only describe the 
protocol. In the following, for n € N and e > 0, we note T"(X) the set of e-letter-typical sequences [30] 
(also called "robustly typical sequence" in [31]) with respect to px- We also define conditional typical 
sets as follows, r,"(y|x") = {y" : {x'\y'') G r,"(Xy)}. We note = ^nin^^.^pp^p^) pxix). Let 
e > 0, and define ei = ^e, e2 = 2e. 

Code construction: Fix a joint probability distribution pux on U x X and puvY on U x V x y. 
Let = I{X;U\Y) + 6eH{U), R'^ = I{Y;U) - 3eH{U). Generate 2"(^"+^") codewords, labeled 
u"'{u},u) with {u},h') G [1,2"-^" j x [[1,2"'^"I|, by generating the symbols Ui{uj,u) for i G ll,nj and 
{uj,u) £ [1,2"^" j X [[1,2"-^"]1 independently according to pu- Let R^ = I{V;Y\XU) + 6e2H{V\U), 
i?; = I{V;X\U) - 3e2H{V\U). For each {u},v), generate 2"(^"+^-) codewords, labeled v''{uj,u,k,l) 
with {k,l) £ [1,2"'^'' j X [1,2"'^"]], by generating the symbols Vi{u},u,k,l) for i £ and {k,l) £ 
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[1,2"^" J X [l,2"-f^-J independently according to Pv\u=u,{u,u)- 

Stepl. At Alice's side: Given x", find a pair {uj,^) s.t {x^ , u"' {00 , v)) G T^{XU). If we find several 
pairs, we choose the smallest one (by lexicographic order). If we fail we choose {uj, v) = (1, 1). Define 

s" = u'^{ijj,v) and transmit a" = w. 

Step2. At Bob's side: Given and a", find 9 s.t (y", ^"(a;, P)) G T^iYU) and define = n"(w,P). 
If there is one or more such v, choose the lowest, otherwise set P = 1. Find a pair {k,l) such that 
(s", y", k, I)) G T^^{UYV). If there is one or more such {k, I), choose the lowest, otherwise set 

{k, I) = (1, 1). Transmit 6" = k. Define §2 = v"'{uj, i>, k, I) and s" = (s", Sg)- 



Step3. At Alice's side: Given = and 6", find [s.t (^x", P, A;, Oj e TJ^(X;7y). 

If there is one or more such I, choose the lowest, otherwise set I = 1. Define S2 = ^" (w, z>, /c, Z) and 



We can show by standard arguments that there exists a code, such that after one repetition of the protocol. 



AUce obtains = [/"T>", whereas Bob has 5" = [/"F" with P[C/" / [/"] ^ 6e{n),^ P[y" / F"] ^ 
6ein), P[5'" / S'"|7^„,] ^ Pe(e, n)*^ and (f/", X"), (f7", Y"), (?7", Y", F"), (^y*^, F", X") jointly typical 



A. Proof of Theorem 4 

In the following, we use the same notations as in Appendix A. 

1) Discrete case: Let e > 0. Let Ri,R2 G Let m, n G N, and define N = nm. Let G N to be 
determined later. Consider a sequential key-distillation strategy Sn that consists of 

• m repetitions of a reconciliation protocol TZn based on Wyner-Ziv coding. One protocol operates 
as described in Appendix A-B. Hence, after one repetition of the protocol, P[S'" 7^ S^\Tin] ^ 
Pe{^, n). In addition, the information disclosed over the public channel during the m repetition of the 
reconciUation protocol is upper bounded by log|,A|^+ log|;B|^= NI{U;X\Y) + NI{V;Y\XU) + 
Nro{e), with lime^oro(e) = 0;'" 

^S^iji) denotes a function of e and n such that lim„^oo '5e(n) = 0. 

'in Appendix F we show that Pe{e,n) decreases exponentially to zero as ne^ goes to infinity. 




with probability approaching one for n large. 



To extend the result to a CMS, we proceed as in the proof of Theorem 4. 



Appendix B 



Proofs for Section IV-C 



10, 



Vo ^ 0{eH{UV)). 
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• privacy amplification based on extractors, with output size k, at the end of which Alice computes her 
key K = g{S^ , Ud), while Bob computes K = g{S'^ , Ud), where Ud is a sequence of d uniformly 
distributed random bits. 

The total information available to Eve after reconciliation consists of her observation Z^, the public 
messages A'^ and B'^ , respectively sent by Alice and Bob, and Ud- The strategy Spj is also known to 
Eve, but we omit the conditioning on Sn for convenience. 

We first show that, for a suitable choice of the output size k, we have k ^ H{K\UdZ^ B^) ^ 
k — 5{N)}^ Then, we show that the corresponding WSK rate achieves the lower bound on the WSK 
capacity of Theorem 1. We first state Lemma 2, a refined version of the results in [9], [13], that is 
obtained by using the notion of robust typicality developed in the appendix of [31], to later extend our 
result to the continuous case. 

Lemma 2 ([9], [13], Refined version). Consider a DMS {XZ,pxz) ^nd define the RV Q as 

1 if (X", Z") G T^,{XZ) and Z" G 7;"(Z), 
otherwise. 

Then, P[e = 1] ^ 1 - with 8%n) = 4|5x|e-^'"^^/^ where Sx = {x X : p{x) > 0} and 

fix = ^i^xi^Sx Pi^) ■ Moreover, if z"^ G TJ^{Z), 

H^iX^'lZ^ = z",e = 1) ^ n{H{X\Z) - S{e)) - 5l{n), where 5l{n) = 4|5x,y le-^'"'^-'-/^ 

Let us start by defining the following RVs 

1 if {S^, Z^) G T^iS'^Z'') and Z^ G TJ^iZ""), 
otherwise. 



T 



A 



otherwise. 



By Lemma 2 applied to the DMS (Z^"V"2:",P5^z^), P(e = 1) ^ 1 - (5°(m), and by [9, Lemma 10], 
P(T = 1) ^ 1 - 2-^. Hence, P(T = 1, = 1) ^ 1 - - 2"^, and 

H{K\UdZ^A^B^) ^ (l - 5^e{m) - 2"^) H{K\UdZ^ A^ B^ , T = 1, 9 = 1). (11) 
"5(n) denotes a function of n such that lim„_»oo S(n) = 0. 



October 17, 2012 



DRAFT 



24 

To lower bound H{K\UdZ^ ,T = 1,6 = 1), we first lower bound H^dS^lZ^ = , = 
, = , = 1, T = 1) to be able to use Theorem 3. By definition of T, 

= z^, = a^, 5^ = 6^, G = 1, T = 1) 
^ HUS''\Z'' = z^, G = 1) - log(I^I^ISI^) - ^ 

^ m(^r(S"|Z") - 6{e)) - 6l{m) - N{I{U; X\Y) + I{V; Y\XU)) - ViV - Nro{e), (12) 

where (a) follows from Lemma 2,'^ and log(\Af\B\^) = N{I{U] X\Y) + I{V;Y\XU)) + Nro{e). We 
now lower bound ff(S'"|Z"). We first remark that 

H{S''\Z'') = H{S'^\Z'') + H{S'^\S''Z'') - H{S''\S''Z'^) 

H{S''\Z'') - 5,{n) 
= liY""- S'^\Z'') + i7(^'^|y"Z") - 5,{n) 

= H{Y''\Z'^) - H{Y''\Z''S'^) + F(C/"|y"Z") + if(1/"|y";7"Z'^) - 5^{n) 

nH{Y\Z) + i?(f7"|y"Z") - F(y"|Z"S") - 5,{n), (13) 

where (a) is from Fano's inequality and (b) holds because is a function of (y"C/"), the y^'s and Zj's 
are i.i.d.. We first lower bound ff(^7"|y"Z"). Remark that 

/?({7"|y"z") = i/(c/"|y"z") + F(c/"|c/"y"z") - |c/"y"z") 

S I y^Z") - 5e(n) 

= ?7"|y"Z") + //([/"|X"y"Z") - 5,(n) 

(=^I(X";[/'^|y"Z") 

= //(X^iy^Z") - i7(X"|y"Z"C/") - 5,{n) 

= nH{X\YZ) - F(X"|y"Z"C/") - 6,{n), (14) 
'^The m repetitions of the protocol TZ^ allow us to link -ffoo(-) to -ff(-)- 



October 17, 2012 



DRAFT 



25 



where (c) is from Fano's inequality, {d) holds because [/" is a function of X" is a quantized version 
of X"), and (e) is true since the Xj's, l^'s , and Zj's are i.i.d.. Then, define 



1 if (X", ^7", (yZ)") G TP,{XUYZ), 
otherwise. 



1 if (x",;7") G 7;"(xc/), 



otherwise. 



so that, 

i7(x"|y"z"c/") ^ i?(x"rA|y"z"?7") 

= F(rA|y"z"[/") + /7(x"|y"z"[/"rA) 

^ 2 + ^ P(r = 7| A = 5)P(A = X //(x"|y"z"c/", r = 7, A = 5) 

5,7e{0,l} 

(/) 

^2 + i/(X"|y"Z";7'",r = 1,A = l) + n(2(^2(^)^ j4(^^/2)log|Af|, (15) 

where (/) holds since P(A = 0) ^ (^K"-)." and P(r = 0|A = 1) ^ b\(n)ll}^ Indeed, we can apply 
Markov Lemma [32] (see the version given in [31]), since we have C/" — >• X" — >• Y^'Z^ and for every 

n 

(x*", {yzY), p((y2)"|x") = J|pyz|x(yi^iki)- Then, 

i=l 

i/(X"|y"Z"C/",r = l,A = l)= xi/(X"|y",z",M",r = l,A = l) 

^ J] p(y",z",n«|l,l)log|7^'^(X|y",z",n")| 

^ P(y",^",^^"|l,l)(n^(^|yZt/)(l + 2e)) 

^ ni/(X|yz;7)(l + 2e). (16) 
Hence, combining (14), (15), and (16), we obtain 

i/(C/"|y"Z") ^ nH{X\YZ) - nH{X\YZU) - ri(e, n), (17) 

where 

ri(e,n) = 2nH{X\Y ZU)e + n{25l{n) + 5'^^{n)/2)\og\X\+2 + 5,{n). (18) 

"We have Sl{n) ^ Pe{e,n) by Wyner-Ziv coding in the reconciliation protocols. 
'■^By Markov Lemma, we have St{n) = 2jSxyz|e"''"''^^^/^ 
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We now lower bound the term —H{Y"'\Z"-S"') in (13). Define 

1 if (y"[/'^, y", z") e r2",((yc/)yz), 



otherwise. 

1 if (y"j7", y") G ((yc/)y), 

otherwise. 



We can write 

i/(y"|z"5") ^ i/(y"riAi|z"5") 

= i7(riAi|z"^") + F(y'^|z'"5"riAi) 

^2+ Yl =7i|Ai = (^i)P(Ai = 5i)i/(y"|Z"5",ri =7i,Ai = 5i) 

<5i,7ie{0,l} 

^|2 + i?(y"|Z"5",ri = l,Ai = l) + n(2(^3(^) ^^5(^)/2)log|3;|, (19) 

where {g) holds since P(Ai = 0) ^ and P(ri = 0|Ai = 1) ^ 6^{n)/2.^'' Indeed, we can 

apply Markov Lemma (see the version in [31]), since we have V"' — y"^" and for every 

n n 

((y?i)",z'^), = = llpz\Yizi\yi) = llpz\Yu{^^\y^u^), because ^ y« ^ Z" 

1 = 1 2=1 

if X" ^ y" ^ Z"^". Then, 



/f(y"|z"5",ri = i,Ai = 1) 

= piz"", s"|l, l)//(y"iZ" = z", 5" = s", Ti = 1, Ai = 1) 

^ J]p(z",s-|i,i)iog|r2",(y|z",ni 

^ p(z",s"|l,l)(n//(y|Zt/y)(l + 2e)) 

!^nH{Y\ZUV){l + 2e). (20) 

'^We have ^^(n) 5C Pe(e,n) by Wyner-Ziv coding in the reconciliation protocols. 
"By Markov Lemma, we have S^n) = 2\SYUz\e'''"''^"'' ■ 

"Note that the assumption of degraded sources is only necessary here. The use of this hypothesis is the weakness, at least for 
two-way communication (for one-way communication this assumption is not necessary), of a proof that consists of a successive 
design of reconciliation and privacy amplification, rather than a joint design as in [3], where they exploit the joint design to get 
the joint typicality of {V", Y", U'',Z"). 
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Hence by (19), (20), 

^ nH{Y\ZUV)+r2{e,n), (21) 

where 

r2(e,n) = 2nH{Y\ZUV)e + n{26^,{n) + 6^,{n)/2)log\y\+2. (22) 
Combining (13), (17), (21), 

H{S''\Z'') ^ n[H{Y\Z) + H{X\YZ) - H{X\YZU) - H{Y\ZUV)] - n{e,n) - r2{e,n) - 6e{n). 

(23) 

Then, remark that 

H{Y\Z) + H{X\YZ) - H{X\YZU) - H{Y\ZUV) 
= I{Y; UV\Z) + I{X- U\YZ) 
= H{UV\Z) - H{UV\YZ) + /(X; U\YZ) 

= H{U\Z) + H{V\UZ) - H{U\YZ) - H{V\UYZ) + I{X- U\YZ) 

(h) 

^ H{U\Z) - I{V; Z\U) + H{V\U) - H{U\YZ) - H{V\UY) + I{X; U\YZ) 
= H{U\Z) - I{V; Z\U) - H{U\YZ) + I{V; Y\U) + I{X- U\YZ) 

(i) 

^ H{U\Z) - I{V; Z\U) - H{U\YZ) + I{V; Y\U) - H{U\X) + H{U\YZ) 
= I{U; X) - I{U; Z) - I{V; Z\ U) + I{V; Y\U), (24) 
where (h) and (i) holds because conditioning reduces entropy. Hence, by (12), (23) and (24) 

H^iS^lZ"" = z^, = a^, i?^ = 6^, G = 1, T = 1) 

^ N[I{U; Y) + I{V; X\U) - I{U; Z) - I{V; Z\U)] - r^ie, N), (25) 

where 

rsie, N) ^ m(ri(e, n) + r2(e, n) + 5,in) + 5(e)) + 6l{m) + iVro(e) + Vn. (26) 

Set k to be less than the lower bound in (25) by ^/N : 

k ^ [N[I{U; Y) + I{V; X\U) - I{U; Z) - I{V; Z\U)] - r^ie, N)-^\. (27) 

Now that we have lower bounded Hoo{S^\Z^ = , = , = b^,Q = l,T = 1) in (25) by k 
(defined in (27)), we can apply Theorem 3 to lower bound H{K\UdZ'^ B'^ , T = 1, 6 = 1) by A; - 
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N5*{N), where 6*{N) is defined in the theorem. Thus, we can finally lower bound H{K\UdZ^ B^) 
in (11): 

H{K\UdZ^ B^) ^ (l - 5^e{m) - 2~^) {k - N5*{N)) = k- 6{N), 

where the equality is obtained thanks to the exponential decrease of 6* and 6^. Moreover, the leakage is 
such that 

I{K- UdZ^A^B^) = H{K) - H{K\UdZ^A^B^) ^ 5{N). (28) 
The keys computed by Alice and Bob are asymptotically the same as N goes to infinity, since 

P(K / iv:) ^ ¥{S^ / 5^) ^ mP((C/"y") / (;7"y")) ^ mPe(e, n). (29) 

Then, by (18), (22), (26), we have that r'i{e,N)/N = 5{N) + 5{e), thus the secret key rate R = k/N 
is 

R = I{U; Y) - I{U; Z) + I{V; X\U) - I{V] Z\U) - 5{e) - 5{N). 

Note that it is not exactly the bound proposed in Theorem l.a for the WSK capacity. We finish the proof 
as follows. If I{V; X\U) ^ I{V; Z\U), in the reconciliation we set i?2 = so that we now have 

R = I{U; Y) - I{U; Z) + [I{V; X\U) - I{V; Z\U)]+ - 6{e) - 5{N). 

Then, if I{U;Y) ^ I{U;Z), in the reconciliation protocol, we choose = (see the beginning of 
the proof), and we assume that is provided by a genie to Eve. Consequently, we obtain instead of 
Equation (12), 

H^{V''\Z'' = z^, = u^,B = b,Q = l,T = l) 

^ m{H{V''\Z''U'') - (5(e)) - 6lim) - NI{V; Y\XU) - Vn - iVro(e), 
and conclude in the same manner, to obtain 

R = [I{U; Y) - I{U- Z)]+ + [I{V- X\U) - I{V; Z\U)]+ - 5(e) - 6{N). 
2) Continuous case: We use the following lemma to extend the result to the continuous case. 

Lemma 3 ([33], [34], [35]). Let X and Y be two real-valued random variables with probability 
distribution Px ci^d Py respectively. Let = {E'jj.gj, J^Aa = ^-^i^jej partitions of X 

and Y such that for any i £ I,¥x{Ei) = Ai, for any j G i7,Py(Fj) = A2, where Ai, A2 > 0. Let 
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-^Ai. be the quantized version of X, Y with respect to the partitions £/^^, respectively. Then, 
we have 

I{X;Y)= \im /(Xa^FaJ. 

Ai,A2-s>0 

Proof: We now use the general definition of mutual information given in [34], 

I{X-Y)^sv.Y>I{X-Y){£,F), 

with 

Let e, ei > 0. Let = {E^,}i^^^ , J"o = . ^ be partitions of X and Y, such that \I{X; Y){£a, F^)- 

I{X;Y)\^ e/2. Let .Sai = {^i}tex> -^A^ = {Fj}j&J be partitions of X and Y, where Ai,A2 > 0. 
Let £ = {E^}i^x, ^ = be partition of X and Y such that they have for sub-partition <5ai, 

J^Aa respectively. Then, we choose Ai, A2 small enough such that for any i G Xq, for any j G Jo, 

Px((^°\A°) U < ei. ^y{{F^\F^) U < ei- Now by [33], 

/(^A, , Fa J = /(X; y ) A, , -Fa J ^ /(X; y ) ^) . 
Then, for ei small enough 

I{X^„Y^,) ^ I{X-Y){£o,F^) - e/2. 

Hence, 

/(X; y) ^ /(Xa, , yAj ^ /(X; 1") - e. 

■ 

Let (5 > 0. Let Ai,A2 > 0. As in Lemma 3, from partitions of X, Y, U, V, and Z, we construct 
C^Ai, Vai, Xai, yAi, -^Aa- Let us apply the proof of the discrete case to the random variables Ua^, Va^, 
Xai, Yai, and Za2- By Lemma 3 if we let A2 — )■ 0, then Equation (27) becomes 



k = IN[I{Ua,;Ya,) - I{Va,;Xa,\Ua,) - I{Ua,;Z) - I{Va,; Z\Ua,)] - rs{e,N) - VN\, 

then, by Lemma 3 we choose Ai such that \I{Ua,;Ya,) - I{U;Y)\< 6/4, \I{Va,; Xa^IUa,) 
IiV;X\U)\< 6/i, \I{Ua,;Z)- I{U;Z)\< 6/i, and \I{Va,; Z\Ua,) - HV; Z\U)\< 6/i. Hence, 



k ^ IN[I{Y; U) - I{V; X\U) - I{U; Z) - I{V; Z\U)] - N6 - r3(e, N) - VN\ . (30) 

At this point, we cannot conclude with the last inequality. Indeed, in the term r-i{e,N) are hidden the 
following terms: NH{XAAZYA,UA^)e (see (18)), N H{Ya,\ZU a^VaJc (see (22)), NH{UA,)e and 
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A^ff(VAi|f^Ai)e (by definition of ro(e)), which do not go to as goes to infinity after normalization 
by A^. Now, if we choose e = n~"-, where a g]0, 1/2[, so that for i G [0, 5j, (5*(n) = d{N),^^ then 

R=^ = HY; U) - I{V; X\U) - I{U; Z) - I{V; Z\U) - 6 - S{N). 

Moreover, we still have a leakage verifying (28), and Alice and Bob still share the same key K 
asymptotically, because in Equation (29), Pe{e,n) exponentially decreases with n with the previous 
choice of e. 

B. Proof of Theorem 5 

Theorem 5 is not directly deduced from Theorem 4. We first consider the case of one-way public 
communication, in which Alice sends messages to Bob, a first time with rate Ri and a second time with 
rate i?2. For this scenario we note C*^^ the reconciliation capacity. 

We can modify the proof of Proposition 1 to obtain'^ the reconciliation capacity. For Ri,R2 G M^, 

R2) = max [/([/; Y) + I{V; Y\U)] subject to 

Ri^I{X;U\Y) (31) 

R2^I{V-X\YU) (32) 

U ^Y, (33) 

V ^UX ^Y. (34) 

Then, we can modify the proof of Theorem 4 to prove that^" we can achieve the rate 

R;,sk{Ri,R2) = max {[I{Y; U) - I{Z- [/)]+ + [I{Y- V\U) - I{Z- V\U)]+) , 

subject to rate constraints (31), (32) and Markov conditions (33), (34), by a reconciliation phase followed 
by a privacy amplification phase performed with extractors, and this time without the assumption X — 
y — )• Z. Then, observe that 

i?wsK(0, R2) ^ ma^x[/(y; V\U) - I{Z- V\U)], 

'^'Recall that P^{e,n) decreases exponentially to zero as ne^ goes to infinity. 
"The proof can be found in Appendix G-A. 
^"The proof can be found in Appendix G-B. 
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subject to rate constraints I{U; X) - I{U; Y) = Ri = 0, (32) and Markov conditions (33), (34). Note 
that Markov condition 

U ^ X ^YZ, (35) 

implies Markov conditions (33) and (34) and that if Markov condition (35) holds, then the rate con- 
straint (32) becomes 

R2 ^ I{X; V\U) - I{Y; V\U) = I{X; V) - I{Y; V) - I{X; U) + I{Y; U), 

so that 

^wsK(0,i?2) ^ m^[IiX;V\U)-IiZ;V\U)], 

subject to rate constraint R2 ^ I{X; V) — I{Y; V) and Markov condition (35). Hence, R^^^{0, R2) ^ 
Cwsk{R2,0) by Theorem l.b. 

C. Proof of Theorem 6 

The proof of Theorem 6 is the same as the one of Theorem 4 without the RV Z. We are able to show 
that reconciliation and privacy amplification can be treated independently because by Proposition 1, for 

which means that the auxiliary RVs (U,V) (resp. U) maximizing Crec{Ri, R2) in Theorem 1 and 
Cwsk{Ri,R2) in Corollary 2.2 (resp. Crec(^i,0) in Theorem 1 and Cwsk(-Ri>0) in Corollary 2.b) 
are the same. Hence, an optimal reconciliation leads to an optimal sequential key-distillation. 

Appendix C 
Proof of Proposition 2 

The proof is partially found in [16] and all that remains to be proved are the equality in the commu- 
nication rate constraint and the range constraint |^|^ 

A. Equality in the constraint 

To prove that equality holds in the constraint for the argument of the maximum in Proposition 2, 
we can reuse the proof of Proposition 1 in Appendix A- A, so that we only need to show that f{U) = 
I{Y; U) — I{Z; U) is convex in Pi;\x- To obtain the convexity of /, we replace (X, Y) by {Y, Z) in the 
function /i of Lemma 1. 
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B. Range constraint \U\^ \X\ 

The proof relies on a technique used in [36]. 

Define 7^ = {{R, Ri) : I{Y; U) - I{Z; U), Ri ^ /(X; U) - I{Y; U), with U X ^Y}, and 
C = {{R, Ri):R^ I{Y; U) - I{Z; U),Ri = I{X; U) - I{Y; U), with U ^ X ^ Y} . 
Note that the capacity region C is from Proposition 2 and that the equaUty in the communication rate 
constraint is crucial to make it a subset of TZ. By [36, Lemma 3], 

n = {iR, Ri) : VAi, A2 G M+, XiR + X2R1 ^ G(Ai, A2)} , 

where VAi, A2 G M+, G(Ai, A2) = inf [Ai(/(y; U) - I{Z; U)) + A2(/(X; U) - I(Y; U))] . 

U s.t U^X~>-Y 

Consequently G(Ai, A2) is sufficient information to describe TZ. Then, we show that for all Ai, A2 € M"^, 
G(Ai,A2) can be achieved by considering a discrete random variable U such that \X\. 

Let Ai,A2 G K^, let V in [36, Lemma 2] be the [A" [-dimensional probability simplex, and let X = 
{xi}l^[. Consider V as a set of elements of the form of P, where 

p = (p(X = xi\U = u),F{X = X2\U = u),.. .,F{X = x\x\\U = u)) , 

with u £U. Then, each probability distribution on U defines a measure // on V. Define Hp{X), Hp{Y), 
and Hp{Z) as the entropies of X, Y, and Z respectively, when the distribution of X is P. Define 

h{P) ^ \i{Hp{Z) - Hp{Y)) + \2{Hp{Y) - Hp{X)) 
f,{P)^P{x,), for jG [2,1^11. 

Let P^ achieve G(Ai,A2), and let fi* be such that J^Pfi*{dP) = P^. Denote by H*{X) the entropy 
of X under probability distribution P^. Then, by [36, Lemma 2], there exists Pi, P2, . . . , P\x\, and 
ai, 02, . . . , a\x\ such that, Y}^[ ai = 1, for j G [[2, \X\} 

r 

P*x{^j)= / fJ{P)^^*idP) = Y,O^^MP^)^ 

and, 

Xi{H*{Z\U) - H*{Y\U)) + X2{H*{Y\U) - H*{X\U)) 

= Ai / {Hp{Z) - Hp{Y))fi*{dP) + X2 [ {Hp{Y) - Hp{X))fi*{dP) 
Jr Jv 

= [ h{P)ii*{dP) 
\x\ 

= Y^a,h{P,). 

i=l 
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From Pxixj), j G [2, we can compute H*{X), H*{Y), and Hp{Z), since U ^ X ^ Y ^ Z. 
Hence, 

Xi{H*{Y) - H*{Y\U) - H*{Z) + H*{Z\U)) + \2{H*{X) - H*{X\U) - H*{Y) + H*{Y\U)) 
= Ai(r (y; U) - r{Z; U)) + X2{I*iX; U) - r{Y- U)) 
= G(Ai,A2). 

We have thus shown that we can choose U such that |^|^ \X\ to achieve G(Ai, A2). Consequently, it is 
enough to consider U such that \X\, to form the set IZ, as well as the set C, since C ClZ. 

Appendix D 
Proof of Proposition 3 

If Ri ^ H{X\Y), then by Proposition 2 Cwsk(^i,0) = 1{X-Y). Assume Ri H{X\Y)[ in 
the following. We note X = {0,1} and by Proposition 2, we can assume U = {ui,U2]- We note 
Pi = p{X = 1\U = ui) and /32 = p{X = 0\U = U2). We can write 



liU- X) - I{U; Y) = H{X) - HiY) - J] p{ui)[H{X\U = m) - H{Y\U = m 

i=l,2 

= 1 _ H{Y) - J2 PMlHbiPi) - H{Y\U = u,)] 



i=l,2 



1 - H{Y) - p{u,) 

i=l,2 



HbiPi) + 'Yp{y\ui)\ogp{y\ 

y&y 



Ui 



with \/y ey, 



p{yWi) = ^ p{x\ui)p{y\x) = (1 - l3i)p{y\x = 0) + l3ip{y\x = 1), 



p{y\u2) = ^ p{x\u2)p{y\x) = /32p{y\x = 0) + (1 - (32)p{y\x = 1). 
Moreover, since the channel Py\x is symmetric, there exists a permutation vr G &\y\ such that 

Vy G 3^, Vx G X,p{y\x) = p(7r(y)|x 1), 



(36) 

(37) 
(38) 

(39) 
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where ® denotes the modulo 2 operation. Thus by (37), (38), (39) there exists gY\x^^ such that H{Y\U = 
ui) = gY\xWi\ H{Y\U = U2) = 5y|x(/32). Then, 

I{U; X) - I{U; Y) = l- H{Y) - J] p{ui) [Hb{Pi) - 9y|x(ft)] • (40) 

i=l,2 

Similarly, by using that the channel pz\x is symmetric, there exists gz\x such that H{Z\U = ui) = 
9z\x{Pi) and H{Z\U = U2) = gz\x{P2)- Thus, we also have 

I{U; Y) - I{U; Z) = H{Y) - H{Z) - J] p{ui) [gY\xW^) - gz\xW^)\ • (41) 

i=l,2 

Consider the region TZi and TZ2 

7^l ^ {{R, Ri)\R<. H{Y) - H{Z) - gyixiM + 5z|x(/3o), 

Ri^l- H{Y) - HbiPo) + gY\xm,f3o € [0, 1]}, 

7^2 = {{R, Ri)\R ^ I{Y; U) - I{Z- U), Ri ^ I{X; U) - I{Y; U), {^1,^2) G [0, 1]'} . 

We easily verify that both regions TZi and 7^2 are convex and that TZi C 7^2- We will use a similar 
technique as in [37], based on Lemma 4, to show that TZi = 7^2- Then, thanks to the refinement proposed 
in Proposition 2 (equality in the constraint), we will be able to conclude 

{{R, Ri)\R ^ H{Y) - H{Z) - 5y|x(/3o) + 5z|x(/3o), i?i = 1 - H{Y) - + 9Y\x{f3o),Po e [0, 1]} 

= {{R, Ri)\R ^ I{Y- U) - I{Z- U), Ri = I{X; U) - I{Y; U), {^1,^2) G [0, 1]'} . 

Lemma 4 ([37] [25]). Let C dW^ be convex. Let Ci C C2 be two bounded convex subsets of C, closed 
relative to C. If every supporting hyperplanes of C2 intersects with C\, then C\ = 62- 

Let {R, Ri) G 7^2, and let a G [0, 1], then we have by (40), (41) 
aR+{l- a)Ri 

^ a{I{Y; U) - I{Z- U)) + (1 - a)(/(X; U) - I{Y; U)) 

= HH{Y) - H{Z) - gY\x{Pi) + 9z\x{m + (1 - a)(l - H{Y) - /^^(A) + 5y|x(ft))]p(ni) 

j=l,2 

^ a{H{Y) - H{Z) - gY\x{n + gz\x{n) + (1 - «)(! - H{Y) - H^{P*) + ffy|x(r )), (42) 

^'The exact description of gY\x is not important here, what matters is that HiY\U — iti) and H{Y\U = M2) can be 
expressed with the same function. 
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Where 13* = avgmaxp{a{H{Y)-H{Z)-gYix{P)+gz\xm + (1 - a)(l - H{Y) - Hbif3) + gYixW)))- 
With the last inequaUty, we show that every supporting plane of 7^2 intersects TZi. Note that the weight 
coefficients of {R, Ri) have been taken of the form (a, I — a) with a G [0, 1], because by positivity and 
convexity of 7^2 > we only needed to consider hyperplanes (lines) with negative slope to apply Lemma 4. 
Let be a boundary point of 7^2- There exists a supporting hyperplane T-Lq at {R^^R^) defined 

by (q°, 1 - a°). By equation (42), there exists /3q G [0, 1] such that 

a°i?° + (1 - a°)i?? ^ a^R* + (1 - a°)Rl, 

where ^ (//(F) - -5y|x(r ) ), 1 -^(^ +5y|x(r ))■ Then, since 

G 7^1 C 7^2, we also have, by definition of Hq 

oPR* + (1 - a°)i?l ^ a°i?° + (1 - a°)i??. 

Hence, a^i?* + (1 - a°)iil = + (1 - a°)i2?, and thus {R*,R\) G "Ho- 

Appendix E 
Proof of Proposition 6 

Consider X ~ AA(0, a^,), N ~ AA(0, cj^), F = X + iV. We have al = al + al and 



exp 



2^ 



, Px\y{x\v) 



1 0-^ 



exp 



X 



Let n G Z. Let A > 0. Define C/, a scalar quantized version of X, as follows: 

PU\Y{Un\y) = Px\Y{tn\y)X Pu{Un) = Px{tn)X whcrC tn = A/2 + (n - 1)A. 

Then, 

H{U) = - ^pu{un)\ogpu{un) = Su - log A, where Su = Apx{tn} log px{tn)- 

n n 

Observe that Su is a middle Riemann sum that approaches h{X) = — f px{x) \ogpx{x)dx. Thus, if 
we set f{x) = —px{x) \ogpx{x), we can show that for any a G M+,^^ 



\h{X)-Su\ 



f-Su 



+00 

+ / f{x)dx 

— oo J a 



+ 



Su 



f{x)dx 



^ ei(a) + i^i(a)A2, 



"We used the middle Riemann sum error bound, and erfc(a::) ^ e 
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with Ki{a) = t| max|/"|, ei(a) = e ^[aia + where ai = -7= — , /3i 
Similarly, if we define 



log 



_ 1 



'S'c/iy = -^A / PY{y)px\Y{tn\y)logpx\Y{tn\y)dy, andg{x)= / (y)px|y (a^ly) logpx|Y(a;|y)dy, 
then, as previously, we can show that for any a G 

|/i(X|y) - Su\Y\i^ e2{a) + i^2(a)A2, 

with K2(a) = ^ max|(7"|, £2(0) = e ^[02^ + ^2], where 02 

'—a, a] 

2 V2cr„ ^^2(72^2 log 1^ 27r<T2 ct2 ; ; 



1 K-^r 

j2 iiia^iy |, 021^"; — ^ ["2" T M2J> wiicic ul2 — —7k= ^pi^ > 

[—a, a] V^'"" H II 



h = Y»2 + 

Thus, 

log A - (£2(0) + i^2(a) A^) ^ h{X\Y) - H{U\Y) ^ log A + £2(0) + i^2(a) A^. 

Hence, for any a G M+, if we take A small enough, then log A ^ €2(0) + i^'2(a)A^, such that h{X\Y) — 
H{U\Y) ^ log A, and 

\I{X; Y) - I{Y- U)\ = \h{X) -Su + Su\Y - h{X\Y)\ 
^ e(a) + K(a)A2 

^ e(a) + K{a) exp[2(/i(X|y) - H{U\Y))] 

= e(a) + K{a) exp[2(/i(X|y) - Ri)], (43) 

where e(a) = ei(a) + £2(0), K{a) = Ki{a) + K2(a). 
If we take a = axV^Ri in (43), we obtain 

\I{X; Y) - I{Y; ?7)|^ [aRi + ^]e~^' + E:V^e[2('*(^l^)-«i)], 

where a = ai+a2, /? = /3i+/32, = %^[max(|/"|+|c/"|)]. We can show that K ^ [|log(^/2^CT^.)l+ll+ 
4/32 + V7ra2(ll/\/2cj2 -2)]/[24/7rcr2]. To sum up, if i?i is large enough, i.e Ri > h{X\Y), then A can 
be chosen small enough to ensure log A » e2+i<r2A^, so that I{Y; U) approaches I{X; Y) exponentially 
fast as Ri increases. 

Appendix F 

Error analysis of the reconciliation protocol 

In this section, we detail the error probability analysis for the reconciliation capacity in Proposition 1 . 
Although, the proof uses standard tools and is close to the work in [28], [10], we perform a finer analysis. 
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and show the exponential decrease of P(.{e,n) to zero as ne^ goes to infinity, which then allows us to 
extend our result to the case of a continuous source model. 

In the following, we use the same notations as in Appendix A-B2. Define, 



^0 


_A 


{iX-,Y-)^V:{XY)}, 




_A 


{{n^{u;,u),X^)^Tr{UX)}, 




_A 


{{u-{io,u),Y-)^lT{UY)}, 




_A 


{{u^ioj, v),Y\ v^iiv, V, k,l))i TZ{UYV)], 




_A 





where indices with capital letters denote random variables. 



Define 
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We have 



Pe{e,n,Cn) 



i=l 
6 

i=0 
6 



.1=0 



i-1 



E 

1=1 

6 



Ai n Pi ^; 



j=0 



•[Ao] 



+ P [A] 



1=0 



where Pf, 



A^nfXj=lA'j , for i = [[1,6]1 and Pe„ = P[A]- We now upper-bound Ec„[PeJ for 



i G [0, 6l| by using the tools in [30]. 

Ec„[Peo] = 2\X\\y\exp{-nejtixY), 



pix^,y^)t{\/ioj,u),iu^{u,i.),xn ^ViUX) and (x", y") e 7;^(Xy)} 



E, 



_(x",y")er,'j(XY) 

p(x",y")P{V(a;,z/),([7"(a;,i^),x") ^7r(t/^)} 

(x",y")Gr;'(xy) 
(x",y")er;'(xy) 

^ J] p(x",y'^)exp(-2-(^"+^")p[([/"(a;,i/),x") G7;"(^X)]) 
(x",s,")er;;(xy) 

(x",s/")er;;(xy) 
^ exp (- (l - 5(1), (n)) 2"(^^+^;.-^(^;^)-2^^^(t^)) 



where 4,4(n) ^ 2|Af||^/|exp (-ni^f^^t/y ), 
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p{x\ ynH{y\ u^\^, i^)) G rriYU) and {x\ u'\u, u)) G ViXU)} 

{x»,y-)eT-(XY) 



J2 p(x",y")l{(y",t."(a;,^)) G 7T{YU)} 

{x-,y-)eT"{XY) 



w,v v^v (x^ ,yn ) eT,1 {XY) 

^ 2"(K--f(t^;^)+2ei^(!/)) 

^ 2-ntH(U) 



63 J 



where = 2|;t'||3^||Z^|exp (^-n^^=^^lxYz), 
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Ec„ [lMk,l),iu^{cj,i^),y^,v^ico,,y,k,l)) i TT^UYV) and {y^ , u'' {u , i^)) e 7T{YU)}] 



[ pK,^;")P K(a;,i.),y",t;"(a;,i., A;,/)) ^ 7;:(C/yF) and (y", u"(a;, i.)) G 77(1^^/)] ) 
^Ep^'^'^) E 

^ exp (-(1 - 6f\n)){l - <5(4) („))2-(«.+«:-+^(^l^t^)(i-^=)-"^(^|f^)(i+^=))) 
= exp (-(1 - 5f\n)){l - („))2"(^=(2^^(^|t^)-^^(v|V'C/)))) ^ 

where 5f\n) ^ 2\X\\U\eM-ne'iixu), 5[%{n) ^ 2|V||3^||W|exp {-n^^^iivYu), 

Ec„ [l{(,T",7i"(cj,z/),i;"(a;,i/, G 7;^(X[/F) and {x"" , u'\lj , u)) G 77(X[/)}] 
^ 5^ p(a;,i.,A:,OE E ^^l^''^") E ^'(^") E ^'(^"K) 

^ 5^ p(a;,I.,A:,OE E ^^l^^'^") E p^u^)2^H(V\UX)il+e.)^-nHiV\U)il-e.) 

0J,'^,k,l T^l (x^,y'')eVl{XY) u":{u'^,x")eV(UX) 

< 2''(iH(.V\UX)-2H{V\U))e2)) 
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Ec„ [l{V/,(x",n"(w,z^),^;"(w,z.,A;,[)) ^ 1T^{XUV) and (x", n"(L^, r/)) G 77^(X[/)} 



(x",j/")er;;{xy) 



uj,u,k,l {x",y")&%liXY) 



where 6^^^ = 2|A:'||ZY||V|exp /ixi/yj- All in all Ec^ [Pe(e, C„)] goes to zero as ne^ goes to 

infinity, and we conclude with the selection lemma [13]. 



J2 (a;",u"(a;,i/),y"(a;,i/,fc,/)) ^ r,^(X?7y) 

i«":(«",x")er."(J/X) 



Appendix G 
Complements for the proof of Theorem 5 

A. Reconciliation capacity 
Let Ri,R2 e M+. 

1) Converse: We first establish the rate constraints on Ri and i?2- We have 

nRi ^ 



(a) 



(b) 



n[IiA-Xj\U)-I{A;Yj\U)] 

n[I{U;Xj)-I{U;Yj)] 
nI{U;Xj\Yj) 



(44) 



where (a) holds by [28, Lemma 4.1], if we set U = X'^-^Yf^^J and J is a RV uniformly distributed on 
[1, nj, independent of all previous RVs, (b) holds if we set U = AU, since Xj and U are independent. 
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and (c) holds since U — )• Xj — )• Yj forms a Makov chain. Similarly, we have 



ni?2 ^ ^(^1^) (45) 

i.d) 

^ H{B\AY'') + H{S\S) - n5{e) 

^ I{S; S|^y") + F(5|y45y") - n5{e) 
= H{S\AY'') - n5{e) 
= H{S\A) - I{S- - n5{e) 

= I{S; X^'IA) - I{S; - n6{e) 

n[I{V; Xj\U) - I{V; Yj\U)] - n6{e) 



where (d) holds by Fano's inequality, since for any e > 0, there exists a reconciliation protocol such that 
F{S / S") ^ 6{e),^^ (e) holds since S = r]b{Y'' , A, B), (f) holds since B = (g) holds by [28, 

Lemma 4.1] and if we set V = S. 
We now determine the reconciliation capacity bound. 

n 

i{S;X^) = Y,HS;Xi\x'-') 

i=l 
n 

i=l 
n 

^Y.nSX^''^^+l■,X^) 
1=1 
n 

= n^¥iJ = i)I{SX'-'Yy^,;Xj\J = i) 

i=l 

= nI{SU-Xj\J) 

^nI{VU;Xj), (46) 
^'(5(e) denotes a function of e such that limE_>o (5(e) = 0. 
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where (a) holds because the Xi's are i.i.d.. Then, 

H{S) - H{AB) = I{S; X") + - H{A) - H{B\A) 

(b) 

^ nI{VU;Xj) - H{A) - H{B\A) 

2 n[I{VU- Xj) - I{U; Xj\Yj) - I{V; Xj\U) + I{V; Yj\U) + 5(e)] 
= n[I{U;Yj) + I{V;Yj\U)+S{e)], 

where (b) holds by (46) and since 5 = rjaiX'^), and (c) holds by (44) and (46). 
For a DMS, standard techniques [28] show that \U\i^ and |V|^ 

B. Sequential key distillation 

1) Discrete case: Let e > 0. Let i?2 G M^- Let m, n G N, and define N = nm. Let /c G N to be 
determined later. Consider a sequential key-distillation strategy Sn that consists of 

• m repetitions of a reconciliation protocol IZn based on Wyner-Ziv coding. After one repetition 
of the protocol, AUce obtains 5" = ([/"F"), whereas Bob has S"" = ([/"F") with P[C/" / 
[/"] ^ (5,(n),24 P[t>" ^ F"] ^ 5,{n), P[5" / 5"] ^ Peie^nf^ and (C/",y",X"), (C/",y",y"), 
jointly typical with probability approaching one for n large. In addition, the information disclosed 
over the public channel during the m repetition of the reconciliation protocol is upper bounded by 
log|^|^+ \og\Bf= NI{U; X\Y) + NI{V; X\YU) + Nro{e), with lim.^o ro{e) = 0; 

• privacy amplification based on extractors, with output size k, at the end of which Alice computes her 
key K = g{S"^, Ud), while Bob computes K = g{S^j Ud), where Ud is a sequence of d uniformly 
distributed random bits. 

The total information available to Eve after reconciliation consists of her observation Z^, the public 
messages A^ and B'^ sent by Alice, and Ud- The strategy Sn is also known to Eve, but we omit the 
conditioning on Sn for convenience. 

^'^5f{n) denotes a function of e and n such that lim„^oo <5e(w) = 0. 

^'We can show that Pe(e, n) decreases exponentially to zero as ne^ goes to infinity. 
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We first show that, for a suitable choice of the output size k, we have k ^ H{K\UdZ^A^B^) ^ 
k — 6{N)}^ Let us start by defining the following RVs 

1 if {S^, Z^) e 7^7(5'" Z") and Z'^ e TJ^iZ""), 
otherwise. 



1 if H^{S^\z^,a^,b^,Q = l)^log{\A\^\B\^) + VN, 

T = ^ 

otherwise. 

By Lemma 2 applied to the DMS (Z^"V"2",P5^z-0' 1^(0 = 1) ^ 1 - S^{m), and by [9, Lemma 10], 
P(T = 1) ^ 1 - 2-^. Hence, P(T = 1, = 1) ^ 1 - d^{m) - 2"^, and 

H{K\UdZ^A^B^) ^ (l - ^%rn) - 2"^) H{K\UdZ^ A^ , T = 1, 6 = 1). (47) 

To lower bound H{K\UdZ^ A^ B^ ,T = 1,6 = 1), we first lower bound Hoo{S^\Z^ = , A^ = 
, B^ = 6^, = 1, T = 1) to be able to use Theorem 3. By definition of T, 

ifoo(5^|Z'^ = = a"^, i?"^ = fe"^, e = 1, T = 1) 

^ H^{S^\Z^ = z^,Q = l)- log(l^l^iei^) - \/iV 

^ - (5(e)) - b\(rn) - N{I{U; X\Y) + I{V; X\YU)) - Vn - Nro{e), (48) 

where (a) follows from Lemma 2, and log(|^|^|^|^) = N{I{U;X\Y) + I{V;X\YU)) + iVro(e). We 
now lower bound ff(S'"|Z"). We first remark that 

//(^"IZ") = liX""; S"|Z") + F(5"|X"Z") 

= - i/(X"|Z"5") + ^r(C/"|X"Z") + //(y^lX^f/'^Z") 

ni/(X|Z) - //(X'^IZ"^"), (49) 

where (b) holds since U"^ and are functions of X^, and because the l^'s and Zi's are i.i.d.. 
We lower bound the term in (49). Define 

1 if y", z") e r2''^((xc/)yz), 

otherwise. 



Ti ^ 



1 if (X";/", y") G ((x;7)y), 

otherwise. 



^^5{n) denotes a function of n such that lim„_).oo 5(w) = 0. 
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We can write 

= /7(riAi|z"5") + F(x"|z"5"riAi) 

^2+ = 7i|Ai = '^i)nAi = <5i)i?(X"|Z"5",ri = 7i,Ai = (^1) 

5i,7ie{o,i} 

^2 + F(X"|Z"5",ri = l,Ai = 1) + n(252(^) ^^3(^)/2)log|A'|, (50) 

where (c) holds since P(Ai = 0) ^ (52(n)r^ and P(ri = 0|Ai = 1) ^ 6^{n)/2?^ Indeed, we can apply 
Markov Lemma (see the version in [31]), since we have — )■ X^U^ — )• and for every ((xu)", z"), 

n n 

p{z^\x'^u^) = = = JJpz|x;7(-2^ikiWi), because C/" — ^ — > Z". Then, 

1=1 i=l 

F(x"|z''S'',ri = i,Ai = 1) 

= ^ = = s",ri = l,Ai = 1) 

^ 5]i,(z«,5"|i,i)iog|r2",(x|z-,.")| 

^ Y,P{z\s^\l,l){nH{X\ZS){l + 2e)) 

^ nF(X|Z5)(l + 2e). (51) 

Hence by (50), (51), 

^ nR{X\ZS) + r2{e,n), (52) 

where 

r2(e,n) = 2n/?(X|Z5)e + n(2(y2(n) + (y3(n)/2)log|A'|+2. (53) 

Combining (49), (52), 

H{S'^\Z'^) ^ n[//(X|Z) - - r2(e, n). (54) 

^'We have Si(ri) ^ Pe(e, w) by Wyner-Ziv coding in the reconciliation protocols. 
^^'By Markov Lemma, we have (5i^(n) = 2|5xc/zle"''"''^^^''^ 
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Then, remark that 

H{X\Z) - H{X\ZS) 
= I{X;S\Z) 

= H{U\Z) + H{V\UZ) - H{U\XZ) - H{V\UXZ) 

{d) 

^ H{U\Z) + H{V\UZ) - H{U\X) - H{V\UX) 

= I{U; X) - I{U; Z) - I{V; Z\U) + I{V; X\U), (55) 
where (d) holds because conditioning reduces entropy. Hence, by (48), (54) and (55) 

H^iS^'lZ^ = z^, = a^, = 6^, e = 1, T = 1) 

^ N[I{U; Y) + I{V; Y\U) - I{U; Z) - I{V; Z\U)] - r^ie, N), (56) 

where 

r3{€,N)^m{r2{€,n) + 5{e)) + 5l{m) + Nro{€) + VN. (57) 

Set k to be less than the lower bound in (56) by a/ZV : 

k ^ [N[I{U; Y) + I{V- X\U) - I{U; Z) - I{V; Z\U)] - r^ie, N)-^\. (58) 

Now that we have lower bounded Hoo{S^\Z^ = , = , = ,Q = 1,T = 1) in (56) by k 
(defined in (58)), we can apply Theorem 3 to lower bound H{K\UdZ'^ , T = 1, 9 = 1) by A; - 
N6*{N), where 6*{N) is defined in the theorem. Thus, we can finally lower bound H{K\UdZ^ A'^ B^) 
in (47): 

H{K\UdZ^A^B^) <5°M - 2-^) {k - N6*{N)) = k- (5(iV), 

where the equality is obtained thanks to the exponential decrease of 6* and 5^. Moreover, the leakage is 
such that 

I{K- UdZ^A^B^) = H{K) - H{K\UdZ^A^B^) ^ d{N). (59) 
The keys computed by Alice and Bob are almost the same as goes to infinity, since 

F{K / a:) ^ F{S^ / S^) ^ mP((C/"y") / ([/"T>")) ^ mPeie,n), (60) 
Then, by (53), (57), we have that r3{€,N)/N = S{N) + (5(e), thus the secret key rate R = k/N is 
R = I{U; Y) - I{U; Z) + I{V; Y\U) - I{V; Z\U) - 5{e) - 5{N). 
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We finish the proof as follows. If I{V; Y\U) ^ I{V; Z\U), in the reconciliation we set i?2 = so that 
we now have 

R = I{U; Y) - I{U; Z) + [I{V; Y\U) - I{V; Z\U)]+ - 6{e) - 6{N). 

Then, if I{U;Y) ^ I{U;Z), in the reconciliation protocol, we choose S = V (see the beginning of 
the proof), and we assume that is provided by a genie to Eve. Consequently, we obtain instead of 
Equation (48), 

H^iV^'lZ'' = z^,U'' = u'',B = b,e = l,T = l) 

^ m{H{V''\Z''U'') - (5(e)) - 6l{m) - NI{V; X\YU) - Vn - Nro{e), 
and conclude in the same manner, to obtain 

R = [I{U; Y) - I{U; Z)]+ + [I{V- Y\U) - I{V; Z\U)]+ - 6{e) - 6{N). 
2) Continuous case: We proceed as in the proof of Theorem 4 in Appendix B-A2. 
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